Websense® ThreatSeeker® Intelligence Cloud has detected that the U.S. version of the Metro International website (metro.us) has been compromised and is serving malicious code. Metro newspaper editions are distributed in high-traffic commuter zones or in public transport networks. In the U.S., Metro is published in New York,Boston, and Philadelphia, and is "written and designed for young and ambitious professionals." The U.S. website has over 1 million visitors a month. When a visitor goes to the main page, metro.us redirects to metro.us/newyork/. That page is injected with a malicious iFrame that redirects users to websites serving exploit code, which subsequently drops malicious files on the victim's computer.

Websense Security Labs™ has contacted the IT team of metro.us with a notification regarding the compromise, and they are investigating the issue.

Please note that in the UK there is an unrelated Metro publication (Associated Newspapers), which is not linked to the campaign in question.

Analysis

The injected code has been found in multiple locations within the main website. When a user browses to the main website, the injected code loads automatically, and silently redirects the user through a TDS (Traffic Distribution System or Traffic Direction System) to a website hosting the RIG Exploit Kit. The exploit kit tries to load exploit codes to exploit various vulnerabilities, in order to drop a malicious executable on the victim's computer.

Here is a sample of the injected iFrame (which was found on multiple pages on metro.us):

The redirection target from the iFrame (hxxp://fsbook.us/?mt) is part of the TDS. It sets a cookie (to thwart repeated analysis attempts), then redirects to hxxp://fsbook.us/link.php:

RIG Exploit Kit

RIG "came on the scene" around April 2014, and was heavily used to distribute ransomware such as Cryptowall.

According to Websense ThreatSeeker Intelligence Cloud telemetry, as expected for this specific campaign, most of the victims come from the U.S. and Canada, but let's take a broader look at the geographic telemetry from RIG Exploit Kit, in the last 2 months:

Top 10 Countries affected by RIG Exploit Kit

Country

Percent of Total

United States

32.36%

Canada

6.10%

United Kingdom

5.97%

Australia

5.84%

India

4.51%

Italy

3.72%

Peru

3.58%

Germany

2.52%

South Africa

2.39%

France

2.12%

We still see a heavy bias towards the U.S., Canada, the UK, and Australia, which aligns with what cyber criminals regard as "high quality" traffic.

The RIG Exploit Kit landing page is heavily obfuscated (which is typical with exploit kits). It functions in a similar way to other crimeware exploit kits, in that it tries to load exploit code for vulnerable plug-ins, such as Java, Flash, and SilverLight.

Like other prominent exploit kits, the request headers must have a correct referrer to load the malicious content. In this case, the referrers were metro.us compromised pages.

Taking advantage of the exploit, an obfuscated executable is dropped on the victim's computer:

Virus Total detection for the dropped file, at the time of writing, is 7/53

The malware that was dropped has a few notable features:

Queries information on disks, possibly for anti-virtualization

Retrieves Windows ProductID, probably to fingerprint sandboxes

Checks for presence of known windows from debuggers and forensic tools

Steals private information from local Internet browsers

Installs itself for autorun at Windows startup

Communication has been observed to these hosts:

hxxp://report.oce3a7ku179a17e3.com/

hxxp://update.jffgrr8.com/

Communication was also observed to:

http://www.bing.com/chrome/report.html

Here is Websense' Threatscope™ sandbox report for a file dropped in this attack.

Conclusion

As we can see, compromising popular media web pages continues to be a common threat. Websense Security Labs blogged a month ago about another popular site that was compromised, and there will likely be more cases of this sort in the near future since the "high quality" traffic is desirable to cyber criminals (perhaps suggested by heavy U.S./Canada/UK/Australia bias). We can see that the cyber criminals use various methods to increase the chance of infection while trying to maintain anonymity through use of a TDS (in some cases more than one). While RIG Exploit Kit is popular now, we see other exploit kits such as Angler, Goon/Infinity, Nuclear Pack, and Magnitude used for similar purposes. In many cases, the TDS rotates between different exploit kits.

Websense® ThreatSeeker® Intelligence Cloud has detected that the official website of AskMen (at www.askmen.com ), a popular free online men's web portal, has been compromised and injected with malicious "drive by" code that appears to be part of a mass-injection attack. According to similarweb.com, AskMen's website has more than 10 million visitors each month. The injected code redirects a user to a website serving exploit code, which subsequently drops malicious files on the victim's computer.

Websense Security Labs™ has contacted the host master of askmen.com with a notification regarding the compromise.

Update: We've been working with Ziff Davis' web security team regarding the compromise, as of today (7th July 2014) we verified with our processes that the website is clean when checked at 14:00 BST and does not serve malicious code. This is not a guarantee the website will continue to be clean. We will continue to monitor the website and update the blog if needed.

Analysis

The injected code has been found in multiple locations within the main website as well as in localized versions of it, like au.askmen.com. When a user browses to the main website, the injected code loads automatically and silently redirects the user to a website serving the actual exploit code. The injected code is obfuscated and can be found at the bottom of legitimate JavaScript pages on AskMen's website.

The injected code on AskMen's website:

How DGA is used to redirect the user

The obfuscation used here is a simple base64 encoding, which can be easily de-obfuscated to a Redirect to a website generated by its domain generation algorithm (DGA) as well as the DGA itself.

De-obfuscated JavaScript code:

What the above code does is basically this: It takes the current date (year, month, and day) and uses a CRC32 algorithm as a hash function to hash that data, which ends up being the domain name. This means that a new domain will be generated everyday, and as we know how the algorithm works, we can easily predict future domains. For example, the domains that will be generated in the next 7 days (from 24 to 30 June) can be seen below.

Exploit page URLs from 24 to 30 June:

The Redirect takes the unsuspecting user to a heavily obfuscated page serving a Java exploit (most likely CVE-2013-2465) and also an Adobe PDF reader exploit.

The exploit page:

Java exploit:

Nuclear Pack Exploit Kit

The exploit page displays similar obfuscation techniques, which are often used in the Nuclear Pack exploit kit. In addition, the above mentioned Java exploit is most often used by Nuclear Pack. These facts strongly indicate that the attacker is using either the Nuclear Pack exploit kit or a variant of it.

The similarities between the obfuscation methods can be seen below. For example, note how the eval() function is obfuscated when some color name is inserted in the middle of the string. The page uses this as the default background and the string is removed dynamically at runtime. So "eblackval" will successfully be evaluated as "eval".

AskMen exploit page:

Nuclear Pack exploit kit page:

Malware

Once the target is successfully exploited, the infamous malware Caphaw is dropped, allowing the attacker unfettered access to the victim's computer.

Conclusion

As we can see, even very popular websites are not immune to malicious code injection attacks. An attack of this scale can potentially infect tens of thousands of unsuspecting users due to the nature of the attack and the high popularity of the website.